Skip to main content
Analysis

GAO Warns DOD Hasn't Planned for a CMMC Assessor Shortage — What That Means for Your Certification Timeline

The Government Accountability Office found DoD's CMMC rollout plan strong on six of seven strategic elements but incomplete on one: it has not documented how it will handle key external risks — chief among them the possibility that the private sector won't have enough certified C3PAO assessors to meet demand. With CMMC Phase 2 starting November 10, 2026, that unmanaged assessor-capacity gap is a direct scheduling risk for defense contractors. (GAO-26-107955; DoD concurred with GAO's recommendation.)

Brandon Hancock, J.D., CMMC-RPPublished July 6, 2026Updated July 6, 20266 min read

A congressional watchdog says the Defense Department has a solid plan for rolling out CMMC — with one gap. It hasn't documented what happens if there aren't enough certified assessors to go around. For contractors racing toward Phase 2, that gap is your scheduling risk.

On March 12, 2026, the Government Accountability Office published a report finding that the Department of Defense (DoD) has not systematically assessed or documented the external factors that could keep its Cybersecurity Maturity Model Certification (CMMC) program from meeting its goals — chief among them the risk that the private sector will not have enough certified assessors to handle the demand. The report, Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation (GAO-26-107955), was mandated by Congress and is worth reading by anyone who will need a third-party assessment to keep bidding on defense work.

What GAO Found

DoD relies on roughly 200,000 private companies for goods and services, and those companies routinely store sensitive information on their own systems. CMMC, established in 2020 and streamlined in 2024, exists to verify that those companies actually meet the cybersecurity requirements in their contracts. DoD plans to phase the program in over three years.

GAO measured DoD's implementation plans against seven key elements of a comprehensive strategy. DoD's plans addressed six of the seven. The one it only partially addressed was identifying the key external factors that could affect whether the program meets its goals. DoD has taken steps to manage program risks generally, but — according to DoD's own officials — it did not assess and document how it intends to mitigate the risk that private-sector capacity to perform assessments will fall short of what the program needs.

That is the crux of the report. The program's design depends on a private-sector ecosystem of authorized assessors, and DoD has not put on paper a plan for what it does if that ecosystem cannot keep pace.

The Assessor-Capacity Problem

Here is why this is not an abstract audit finding. Under CMMC, many contractors that handle Controlled Unclassified Information (CUI) will need a Level 2 certification assessment performed by a Certified Third-Party Assessment Organization (C3PAO). Those C3PAOs are private companies, accredited through the CMMC ecosystem — not government assessors. There are a finite number of them, and every defense contractor pursuing certification is drawing from the same pool.

GAO noted that DoD leaders can issue waivers if external factors create significant challenges. But a waiver, as the report points out, does not fix the underlying problem — and depending on how often DoD reaches for that tool, waivers could undermine the long-term viability of a program whose entire purpose is to verify that companies meet federal cybersecurity requirements. A program that waives its own verification step at scale is not doing the job it was built to do.

Why This Matters for Your Certification Timeline

The practical takeaway sits at the intersection of this report and the calendar. CMMC Phase 2 begins November 10, 2026, and with it, solicitations may require C3PAO certification rather than self-assessment. If GAO is right that assessor capacity is an unmanaged risk, the contractors most exposed are the ones who wait until a solicitation forces the issue and then join a queue that DoD itself has not planned around.

You cannot control how many C3PAOs exist. You can control whether you are early in the line or late in it. A capacity shortage does not hurt the contractor who scheduled six months out; it hurts the one who started looking in November.

What Contractors Should Do

1. Assume the queue is real and get in it early. Do not build your compliance schedule on the hope that assessor supply will expand to meet demand on your timeline. GAO's finding is that no one has documented a plan to make that happen.

2. Be assessment-ready before you book. A C3PAO assessment is built on the same 110 controls in NIST SP 800-171. Complete your self-assessment, document your System Security Plan, and close or scope your Plan of Action and Milestones items before you schedule, so an assessor's limited time is spent verifying, not discovering.

3. Confirm what your contracts actually require. Use the Find My Requirements tool to map which of your defense contracts trigger a Level 2 C3PAO assessment versus a self-assessment, and review the CMMC program framework so you know which phase applies to you.

4. Watch the waiver conversation, but don't rely on it. If DoD leans on waivers to manage a capacity crunch, that is a program-office discretionary call — not a compliance strategy you can plan around. Treat any relief as a bonus, not a baseline.

GAO recommended that the Secretary of Defense ensure the DoD Chief Information Officer assesses and documents these external factors and develops approaches to address them. DoD concurred. That is the right outcome — but the recommendation remains open, and "concurred" is not the same as "fixed." Until it is, the assessor-capacity risk is one contractors have to manage for themselves.

Key Takeaways

  • GAO found DoD's CMMC rollout plan strong on six of seven strategic elements but incomplete on one: DoD has not documented how it will handle key external risks, most notably the possibility that there won't be enough private-sector C3PAO assessors to meet demand.
  • With CMMC Phase 2 starting November 10, 2026, the assessor-capacity gap is a direct scheduling risk — the contractors who start their certification process early are insulated from a queue that DoD itself has not planned around.
  • DoD concurred with GAO's recommendation to assess and document these factors, but the recommendation is still open; contractors should treat waivers as discretionary relief, not a compliance plan, and get assessment-ready now.
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?